A link, shortened through TinyURL, directs message recipients to a ViddyHo login page. That page instructs them to enter their Google account information, which is then used to break into the victim’s account and send the link to other users in the victim’s address book or buddy list.

It comes on a particularly bad day for Google, which had to contend with a Gmail outage earlier. The search company didn’t immediately respond to a request for comment.

But the Internet is already buzzing with people who were scammed or are warning others not to fall for it. Jun Loayza, a 23-year-old tech entrepreneur in Westminster, Calif., got the link from a Google Chat buddy who he barely remembers. But the instant message — “‘LOL’ and the link,” he said — piqued his curiosity. “When it says ‘LOL,’ I think ‘must click,” he joked. The site loaded slowly, so he closed the browser before logging in, then started seeing warning messages on Twitter.

“I guess there’s a lot of people that still fall for it,” he said.

Paul Henry, an Ocala, Fla. security consultant, said that this attack is particularly treacherous because the spam appears during chat sessions between friends.

The ViddyHo homepage a few hours after GChat users started getting spammed.

“It’s a great way, from a social-engineering perspective, to distribute Web-borne malware,” he said. “People have to understand that the implied trust that we have, somewhat, had to date with things such as chat programs, is really nonexistent. Anyone has the ability today to hijack an account and broadcast messages.”

Also complicating the matter is that the URL is obscured through TinyURL, which changes Web address to a variation of tinyurl.com/address as a way of shortening long URLs. “It helps you somewhat disguise where you’re sending it,” Mr. Henry said.

The ViddyHo site is already being blocked by some browsers, and the TinyURL link has been disabled. ViddyHo has only been around for about nine days, said Dan Hubbard, chief technology officer at security firm Websense, and is registered with fraudulent information. Like Mr. Henry, he said users should take standard online-security precautions, like avoiding entering personal information on unfamiliar sites.

That’s particularly risky in the case of Google, he said, since a spammer with access to a victim’s GChat account might use it to tap his or her Gmail, Blogger or other Google accounts.

UPDATE: Kevin Gilbertson, TinyURL’s founder, said that the site is now blocking any TinyURLs from being created that point to the site.